# This file will be compiled into /etc/nginx/nginx.conf

user  nginx;
worker_processes  <%= ENV['WORKER_PROCESSES'] || 1 %>;

pid        /var/run/nginx.pid;

events {
    worker_connections  <%= ENV['WORKER_CONNECTIONS'] || 1024 %>;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    ssl_protocols TLSv1.2 TLSv1.3;

    <% if ENV['ACCESS_LOG_INCLUDE_HOST'] == 'on' %>
    log_format  main  '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    <% else %> 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    <% end %>

    <% if ENV['WEBSOCKET'] && ENV['WEBSOCKET'].downcase == 'true' %>
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }
    <% end %>

    <% if ENV['CUSTOM_NGINX_GLOBAL_HTTP_CONFIG_BLOCK'] %>
        <%= ENV['CUSTOM_NGINX_GLOBAL_HTTP_CONFIG_BLOCK'] %>
    <% end %>
    <% if !ENV['ACCESS_LOG'] || ENV['ACCESS_LOG'] == '' || ENV['ACCESS_LOG'] == 'off'  %>
    access_log off;
    <% elsif ENV['ACCESS_LOG'] == 'stdout' %>
    access_log /dev/stdout main <%= ENV['ACCESS_LOG_BUFFER'] && "buffer=#{ENV['ACCESS_LOG_BUFFER']}" %>;
    <% elsif ENV['ACCESS_LOG'] == 'stderr' %>
    access_log /dev/stderr main <%= ENV['ACCESS_LOG_BUFFER'] && "buffer=#{ENV['ACCESS_LOG_BUFFER']}" %>;
    <% elsif ENV['ACCESS_LOG'] == 'default' %>
    access_log /var/log/nginx/access.log main <%= ENV['ACCESS_LOG_BUFFER'] && "buffer=#{ENV['ACCESS_LOG_BUFFER']}" %>;
    <% else %>
    access_log <%= ENV['ACCESS_LOG'] %>  main <%= ENV['ACCESS_LOG_BUFFER'] && "buffer=#{ENV['ACCESS_LOG_BUFFER']}" %>;
    <% end %>

    <% if !ENV['ERROR_LOG'] || ENV['ERROR_LOG'] == '' || ENV['ERROR_LOG'] == 'stderr'  %>
    error_log /dev/stderr <%= ENV['ERROR_LOG_LEVEL'] || "error" %>;
    <% elsif ENV['ERROR_LOG'] == 'off' %>
    error_log off;
    <% elsif ENV['ERROR_LOG'] == 'stdout' %>
    error_log /dev/stdout <%= ENV['ERROR_LOG_LEVEL'] || "error" %>;
    <% elsif ENV['ERROR_LOG'] == 'default' %>
    error_log /var/log/nginx/error.log <%= ENV['ERROR_LOG_LEVEL'] || "error" %>;
    <% else %>
    error_log <%= ENV['ERROR_LOG'] || "/var/log/nginx/error.log" %> <%= ENV['ERROR_LOG_LEVEL'] || "error" %>;
    <% end %>

    sendfile        on;

    keepalive_timeout  <%= ENV['KEEPALIVE_TIMEOUT'] || 65 %>;

    <% unless ENV['GZIP'] == 'off' %>
        gzip on;
        gzip_disable "msie6";
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        gzip_types application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml;
    <% end %>

    server_tokens <%= ENV['SERVER_TOKENS'] || 'off' %>;

    server_names_hash_max_size <%= ENV['SERVER_NAMES_HASH_MAX_SIZE'] || 512 %>;

    <% if ENV['SERVER_NAMES_HASH_BUCKET_SIZE'] %>
    server_names_hash_bucket_size <%= ENV['SERVER_NAMES_HASH_BUCKET_SIZE'] %>;
    <% end %>

    <% if ENV['CLIENT_MAX_BODY_SIZE'] %>
    client_max_body_size <%= ENV['CLIENT_MAX_BODY_SIZE'] %>;
    <% end %>

    <% if ENV['PROXY_BUFFERS'] %>
    proxy_buffers <%= ENV['PROXY_BUFFERS'] %>;
    <% end %>

    <% if ENV['PROXY_BUFFER_SIZE'] %>
    proxy_buffer_size <%= ENV['PROXY_BUFFER_SIZE'] %>;
    <% end %>

    <% if ENV['RESOLVER'] %>
    resolver <%= ENV['RESOLVER'] %>;
    <% end %>

    <% if ENV['PROXY_CONNECT_TIMEOUT'] %>
    proxy_connect_timeout <%= ENV['PROXY_CONNECT_TIMEOUT'] %>;
    <% end %>

    <% if ENV['PROXY_SEND_TIMEOUT'] %>
    proxy_send_timeout <%= ENV['PROXY_SEND_TIMEOUT'] %>;
    <% end %>

    <% if ENV['PROXY_READ_TIMEOUT'] %>
    proxy_read_timeout <%= ENV['PROXY_READ_TIMEOUT'] %>;
    <% end %>

    <% if ENV['ACCESS_RESTRICTION'] %>
        <% ENV['ACCESS_RESTRICTION'].split(' ').each do |ip| %>
            allow <%= ip %>;
        <% end %>
        deny all;
    <% end %>

    include /etc/nginx/conf.d/*.conf;

    <% if ENV['DEFAULT_SERVER_BLOCK'] %>
      <%= ENV['DEFAULT_SERVER_BLOCK'] %>
    <% else %>
        # Prevent Nginx from leaking other server configurations on the same machine
        server {
            listen      80 default_server;
            server_name _;
            return      444;
        }
        server {
            listen      443 ssl default_server;
            ssl_reject_handshake on;
        }
    <% end %>
}
